CLAIMS 

We claim: 



1 1. Method for operating a first node in a network 

2 including at least one second node, comprising the 

3 steps of: 

4 establishing at said first node a coincident endpoint 

5 for an outer connection and an inner connection with 

6 respect to at least one second node; 

7 responsive to receiving a nested packet from said 

8 second node on said outer connection, decapsulating 

9 said packet into a first packet and then performing 

10 source-in network address translation on said first 

11 packet; and 

12 responsive to receiving a second packet at said inner 

13 connection, performing source-in network address 

14 translation on said second packet, and then 

15 encapsulating said second packet into a nested packet 

16 for communication on said outer connection to said 

17 second node. 
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18 2. The method of claim 1 wherein said first node comprises 

19 an enterprise gateway and said first node a remote 

20 client. 

1 3 . Method for managing connections within a communications 

2 system, comprising the steps of: 

3 configuring an outer connection; 

4 communicating from a client to a gateway on said outer 

5 connection a request to configure a secure inner 

6 connection; 

7 responsive to said request, initializing said gateway 

8 to receive a future nested communication, including 

9 obtaining a client address from a packet on said outer 

10 connection; 

11 starting said inner connection; 

12 responsive to starting said inner connection, 

13 propagating a network address translation rule from 

14 said outer connection to said inner connection. 
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15 4. The method of claim 3, further comprising the step of: 

16 further responsive to starting said inner connection, 

17 encapsulating a packet outbound from said gateway first 

18 in said inner connection and then in said outer 

19 connection. 

1 5. The method of claim 4, further comprising the steps of: 

2 responsive to receiving a packet at said gateway, 

3 determining if said packet has a security header; 

4 responsive to said packet having said security header, 

5 decapsulating said packet and saving any address 

6 translation rule included within said packet; and 

7 applying said address translation rule to said packet 

8 and thereafter communicating said packet from said 

9 gateway to said client. 
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1 6. The method of claim 5, further comprising the steps of: 

2 iteratively executing said decapsulating step until a 

3 resulting decapsulated packet no longer contains a 

4 security header. 

1 7. Method for enabling a local gateway to handle 

2 dynamically assigned IP addresses from remote clients, 

3 comprising the steps of: 

4 assigning said IP address to a remote client; 

5 automatically maintaining between said remote client 

6 and said gateway nested connections with local 

7 coincident endpoints. 

1 8. The method of claim 7, wherein said nested connections 

2 comprise an inner connection and an outer connection. 

1 9. The method of claim 8, further comprising the steps of 

2 responsive to receiving a nested packet from said 

3 client on said outer connection, decapsulating said 
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4 packet into a first packet and then performing source- 

5 in network address translation on said first packet; 

6 and 

7 responsive to receiving a second packet at said inner 

8 connection, performing source-in network address 

9 translation on said second packet, and then 

10 encapsulating said second packet into a nested packet 

11 for communication on said outer connection to client. 

1 10. System for operating a first node in a network 

2 including at least one second node, comprising: 

3 an inner connection; 

4 an outer connection; 
5 

6 a local coincident endpoint for said outer connection 

7 and said inner connection at said first node with 

8 respect to at least one second node; 

9 said first node being responsive to receiving a nested 
10 packet from said second node on said outer connection 
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11 for encapsulating said packet into a first packet and 

12 then performing source-in network address translation 

13 on said first packet; and 

14 said first node being further responsive to receiving a 

15 second packet at said inner connection for performing 

16 source-in network address translation on said second 

17 packet, and then encapsulating said second packet into 

18 a nested packet for communication on said outer 

19 connection to said second node. 

1 11. Method for extending virtual private network (VPN) 

2 network address translation (NAT) to include support 

3 for nested connections with coincident endpoints, 

4 without requiring any special configuration for the 

5 inner (nested) VPN connection, with respect to VPN NAT, 

6 comprising the steps of: 

7 configuring an outer connection with a VPN NAT rule; 

8 communicating from a client to a gateway on said outer 

9 connection a dynamically generated security association 
10 request packet to configure a secure inner connection; 
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11 responsive to said request, initializing said gateway 

12 to receive a future nested communication, including 

13 obtaining a client address from said request packet on 

14 said outer connection; 

15 starting said inner connection; 

16 responsive to starting said inner connection, 

17 propagating said VPN NAT rule from said outer 

18 connection to said inner connection. 

1 12. The method of claim 11, further comprising the step of: 

2 further responsive to starting said inner connection, 

3 encapsulating a packet outbound from said gateway first 

4 in said inner connection and then in said outer 

5 connection. 

1 13. The method of claim 12, further comprising the steps 

2 of: 

3 responsive to receiving a packet at said gateway, 

4 determining if said packet has a security header; 
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5 responsive to said packet having said security header, 

6 decapsulating said packet and saving any VPN NAT rule 

7 included within said packet; and 

8 applying said NAT rule to said packet and thereafter 

9 communicating said packet from said gateway to said 
10 client. 

1 14. The method of claim 13, further comprising the step of 

2 iteratively executing said decapsulating step until a 

3 resulting decapsulated packet no longer contains a 

4 security header. 

1 15* The method of claim 13, further comprising the step of 

2 supporting L2TP within said internal connection. 

1 16. System for extending virtual private network (VPN) 

2 network address translation (NAT) to include support 

3 for nested connections with coincident endpoints, 
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4 without requiring any special configuration for the 

5 inner (nested) VPN connection, with respect to VPN NAT, 

6 comprising: 

7 a gateway; 

8 a client; 

9 an inner connection for connecting said gateway and 

10 said client; 

11 an outer connection for connecting said gateway and 

12 said client; 

13 said outer connection being configured by said client 

14 with a VPN NAT rule; 

15 said outer connection for communicating from said 

16 client to said gateway a dynamically generated security 

17 association request packet to configure said inner 

18 connection; 

19 said gateway further responsive to said request for 
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20 initializing said gateway to receive a future nested 

21 communication, including obtaining a client address 

22 from said request packet on said outer connection; 

23 said gateway further responsive to starting said inner 

24 connection for propagating said VPN NAT rule from said 

25 outer connection to said inner connection* 

1 17 . A program storage device readable by a machine, 

2 tangibly embodying a program of instructions executable 

3 by a machine to perform method steps for operating a 

4 first node in a network including at least one second 

5 node, said method steps comprising: 

6 establishing at said first node a coincident endpoint 

7 for an outer connection and an inner connection with 

8 respect to at least one second node; 

9 responsive to receiving a nested packet from said 

10 second node on said outer connection, decapsulating 

11 said packet into a first packet and then performing 

12 source-in network address translation on said first 

13 packet; and 
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14 responsive to receiving a second packet at said inner 

15 connection, performing source-in network address 

16 translation on said second packet, and then 

17 encapsulating said second packet into a nested packet 

18 for communication on said outer connection to said 

19 second node. 

1 18. A computer program product or computer program element 

2 for operating a first node in a network including at 

3 least one second node according to the steps of: 

4 establishing at said first node a coincident endpoint 

5 for an outer connection and an inner connection with 

6 respect to at least one second node; 

7 responsive to receiving a nested packet from said 

8 second node on said outer connection, decapsulating 

9 said packet into a first packet and then performing 

10 source-in network address translation on said first 

11 packet; and 

12 responsive to receiving a second packet at said inner 

13 connection, performing source-in network address 
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14 translation on said second packet, and then 

15 encapsulating said second packet into a nested packet 

16 for communication on said outer connection to said 

17 second node. 

1 19. A program storage device readable by a machine, 

2 tangibly embodying a program of instructions executable 

3 by a machine to perform method steps for managing 

4 connections within a communications system, said method 

5 steps comprising: 

6 configuring an outer connection; 

7 communicating from a client to a gateway on said outer 

8 connection a request to configure a secure inner 

9 connection; 

10 responsive to said request, initializing said gateway 

11 to receive a future nested communication, including 

12 obtaining a client address from a packet on said outer 

13 connection; 

14 starting said inner connection; 
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15 responsive to starting said inner connection, 

16 propagating a network address translation rule from 

17 said outer connection to said inner connection. 

1 20. The storage device of claim 19, said method steps 

2 further comprising the step of: 

3 further responsive to starting said inner connection, 

4 encapsulating a packet outbound from said gateway first 

5 in said inner connection and then in said outer 

6 connection. 

1 21. The storage device of claim 20, said method steps 

2 further comprising the steps of: 

3 responsive to receiving a packet at said gateway, 

4 determining if said packet has a security header; 

5 responsive to said packet having said security header, 

6 decapsulating said packet and saving any address 

7 translation rule included within said packet; and 

8 applying said address translation rule to said packet 
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9 
10 



and thereafter communicating said packet from said 
gateway to said client. 



1 22. The storage device of 21, said method steps further 

2 comprising the steps of: 

3 iteratively executing said decapsulating step until a 

4 resulting decapsulated packet no longer contains a 

5 security header. 
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